© Grant Thornton 


An instinct for growth 


Phil Keown 

Engagement Lead 

T: 020 7728 2394 

E: philip.r.keown@uk.gt.com 


Will Simpson 

Associate Director 

T: 0161 953 6486 

E: will.g.simpson@uk.gt.com 


Fraser Pirie 

Associate 

T: 0161 953 6423 

E: fraser.j.pirie@uk.gt.com 


Brittany Brown 

Associate 

T: 0161 953 6398 

E: brittany.e.brown@uk.gt.com 


Information Commissioner's Office 


Internal Audit 2015-16: Finance Review 


Last updated: 8 March 2016 


Distribution Timetable 
For action Head of Finance Fieldwork completed 18 December 2015 
Draft report issued 2 February 2016 
For information Senior Corporate Governance Management comments 12 February 2016 
Manager 
Audit Committee Final report issued 17 February 2016 


Contents 


Sections Glossary 
1 Executive Summary 1 The following terms are used in this report: 
2 Detailed Findings 4 f ; 
MS Gteat Plains Finance system 
Appendices ICE Customer management system 
A [Internal audit approach 12 PO Purchase Order 


B Definition of overall assessment internal audit ratings 15 GRN Goods Received Note 


This report is confidential and is intended for use by the management and Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in 
whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying 
on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this 
report, however such loss or damage is caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 


Information Commissioner's Office | Internal Audit | Finance Review 


1 Executive Summary 


1.1 Background 

As part of the 2015-16 Internal Audit Plan, we agreed with management 
and the Audit Committee to undertake a review of key controls over the 
ICO’s finance arrangements. 


The ICO's main source of income is from fees relating to its Data 
Protection activities, which are collected from Data Controllers who 
notify they are processing personal data under the Data Protection Act 
1998. The annual fee is £35 for charities and small organisations with 
fewer than 250 employees, while a higher fee of £500 applies to data 
controllers who have an annual turnover of £25.9 million or more or 
employing more than 250 people. 


Fees collected in the year 2014-15 totalled more than £17.5million 
(2013-14: £16.5million); a 6% increase over the previous year. The 
forecasted fee income for 2015-16 is £18million. 


The ICO has recently implemented a new finance system, Great Plains, 
and this review focussed on three key areas of control: 


e Purchase ledger 


e Income recognition and processing — regarding Data Protection fees 
that are paid by cheque, card Direct Debit and BACS 
e Segregation of duties and access rights on the finance system. 
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1 Executive summary 


2 Detailed Findings 
Appendices 


The objective of our review was to establish whether or not there are a 
strong set of controls in the purchase ledger and income recognition 
processes and how these meet the ICO requirements. 


1.2 Scope 
Our review involved an assessment of the following risks: 


Purchase ledger 

e The controls over the processing of purchase invoices may be 
inadequate; 

e The controls over the matching of purchase invoices to approved 
purchase orders and goods receipts records may be inadequate; 

e The process for approval of invoices for payment may be 
inadequate; and 

e The approval of payments may not be made in accordance with the 
established delegated authorities. 


Income recognition 

e The processing of receipts for Data Protection fees from all sources 
may not be sufficiently well controlled; and 

e Income processed through the Great Plains system may not be 
reconciled to the ICE customer management system. 


Segregation of duties 
e Appropriate segregation may not be in place across key financial 
activities (specifically between the originator of purchase orders and 
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those authorising the invoice for payment and also during the 
processing of receipts from fee-payers); and 


The ICO may not tailor access rights on its finance system to the 


requirements of individuals' roles. 


Purther details on responsibilities, approach and scope are included in 
Appendix A. 


1.3 
We 


Overall assessment 
have made an overall assessment of our findings as: 


Overall assessment 


Following agreement of the nature and significance of individual issues 


with 


management, in our view this report contains matters which 


require the attention of management to resolve and report on progress 
in line with current follow up processes. 


Please refer to Appendix B for further information regarding our overall 
assessment and audit finding ratings. 


1.4 Key findings 

Risk / Process 

Purchase ledger - - 1 1 
Income recognition - - 3 1 
Segregation of duties - 2 - - 
Total - 2 4 2 


The following findings are assessed as Medium: 


We found that user access rights to the MS Great Plains system were 
not appropriate, as each member of the Finance team is a designated 
super user with access to amend user profiles and to edit supplier 

details. As the system is now established at the ICO, a formal review 
of user access rights (including super users) should be undertaken to 
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2 Detailed Findings 
Appendices 


enforce segregation of duties and limit the abilities of individuals to 
process finance data. 

After the BACS payment file is generated as a text file, a check of 
bank details is done by a separate member of the Finance team. 
However this check is not documented, and once the check is 
complete the file is then returned to the same member of staff who 
generated the BACS file for upload into Bankline. We noted that the 
payment file is not locked down at any point, meaning there is a risk 
that supplier details can be amended prior to upload into Bankline. 


Further details of our findings and recommendations are provided in 
Section 2. 


Basis of preparation 


We identified the following controls in place during our audit: 


Purchases are requested through the completion of a purchase 
requisition which will be charged to the department of the 
requesting staff member. Once a purchase has been requested, it is 
automatically forwarded (workflow) within MS Great Plains to the 
relevant budget holder or other member of staff with authority to 
approve that order. 

After purchases have then been approved by the Head of Finance, a 
purchase order is generated by Finance and sent back to the 
requestor. The order will then be submitted to the supplier and will 
include relevant purchase details to facilitate matching of PO, GRN 
and invoice. Orders requested with a new supplier will not be 
processed until the supplier has been added onto the system. 
Invoices are loaded onto the system by the Finance team upon 
receipt into the Finance department. They will only be matched to a 
purchase order if the goods or services have already been receipted 
by the purchaser who checks a box in MS Great Plains. There is a 
tolerance level of £1 to account for rounding errors when matching 
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invoices. The system does not allow duplicate invoices to be 
uploaded. 

e A report is run to flag any invoices which are uploaded to the system 
but which relate to an order which has not yet been marked as 
received. These are then chased by the Finance team to understand 
why goods or services have not yet been receipted. 

e Invoices cannot be added onto a payment run without appropriate 
approval and matching to an order and receipt; once they have been 
approved and matched they will be automatically added to the 
payment run. 

e Once invoices have been approved, a payment run is uploaded to 
Bankline by a member of the Finance team. Once it has been 
uploaded into Bankline, it requires two digital signatures within the 
system before the payment run can be processed. 

e MS Great Plains automatically forwards orders to identified 
approvers for approval. This forwarding is built into the system and 
can only be overridden by a system administrator. 

e There is a system of horizontal hierarchy in place on Great Plains, 
meaning that there are multiple delegated authorities and the Head 
of Department who receive a notification once a purchase has been 
logged on the system. One of the designated approvers must then 
approve this, which then removes the notification from the other 
approvers. This is an efficient way of approving invoices and 
purchases as a number of staff see the notification. 

e Cheques and direct debit mandates are processed in batches with 
corresponding batch headers to denote the number in each batch 
and their total value. 

e The Registration department have documented procedures in place, 
available on ICON (organisation intranet) detailing how to process 
new Direct Debit mandates and Cheque batches. 

e Fees may also be paid in via direct debit mandates. These are 
processed by the Registration team and batched in a similar way to 
cheques. Direct debit collections are processed by the Finance team 
daily. The Direct Debit file is generated from the information stored 
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2 Detailed Findings 
Appendices 


in ICE and uploaded to the BACS system. These receipts are then 
processed electronically and reconciled the following day. 

e ICE automatically sends notifications to registered users 42 days in 
advance of their registration expiring; reminders are also sent. If a 
customer has registered with their email address details, the 
reminder will be emailed; if a customer has registered with postal 
address reminders are sent by post using an external fulfilment 
company. 


1.6 Elsewhere in the sector 

We detail below other ways of working and commonly occurring issues 
that we have experienced during similar types of reviews for other public 
bodies. The following does not necessarily purport to be good practice 
but is included for your information and consideration: 


e We have seen elsewhere that organisations will insist on requiring 
purchase orders for all purchases. We understand that the ICO may 
introduce this at a later date once the new system is more deeply 
embedded within the culture of the ICO. 


1.7 Acknowledgement 
We would like to take this opportunity to thank the staff involved for 
their co-operation during this internal audit. 
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2 Detailed Findings 


2.1 Purchase Ledger 


1 Executive summary 


2. Detailed Findings 


Appendices 


Purchase ledger system approvals 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


During the course of our audit we became aware that there 
are two routes to adding an invoice to the system. For orders 
which require a purchase order (PO) a clear process is in 
place to raise and approve the purchase and to 
subsequently match the order to the goods received and 
invoice. 


However, there are also 'non PO-able' designated items, 
which are added to the system when an invoice arrives; e.g. 
heat, light, travel, legal fees etc. These are items for which 
the order value cannot be accurately determined in advance 
and therefore the difference would typically be outside the 
£1 limit. These invoices can only be approved by a budget 
holder; Finance adds them to the system and the items are 
then approved by the Head of Finance. 


We noted that there are no policies or formal procedures to 
denote when this process should be applied, which may lead 
to non-agreed items being purchased without an order being 
placed. 


Clear policies should be implemented making it 
clear which suppliers and/or services are 
permitted to be procured without a purchase 
order being in place, which should include the 
authority required to engage with these 
suppliers. 


All non PO-able invoices are pre-agreed by the 
Head of Finance and are listed on ICON. The list 
contains only those items that cannot be valued 
before invoice stage and the invoice would 
always be approved by the budget holder before 
payment. No item outside this list will be 
processed without a PO. 


The list will be reviewed to ensure that it is up to 
date and policies will make the process clear. 


Date Effective: 31 May 2016 


Owner: Sally Hanson 
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1 Executive summary 


2. Detailed Findings 


Appendices 


2. Policies and procedures 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Prior to our audit, we were informed that a new management 
accountant would be starting in January 2016. As part of 
their role, they will take on some duties currently performed 
by the Head of Finance, including approval of all orders on 
the MS Great Plains system. This will address the 
inefficiency arising from the Head of Finance having to 
approve all orders. 


Also, as part of the introduction of this role, financial policies 
and procedures will be refreshed to fully incorporate the new 
MS Great Plains system and reflect current procedures. 


The ICO should assign responsibility for 
checking purchase orders for accuracy and 
compliance to the new Management Accountant 
to reduce the workload of and reliance upon the 
Head of Finance and to maintain accountability 
within the business units. 


We support the ICO's intention to refresh its 
policies and procedures to refer to the new MS 
Great Plains system and recommend that this 
review should include referencing the role of the 
Management Accountant and their role and 
responsibilities. 


The new purchase management system is in its 
early stages of implementation and there are a 
number of operational issues still to resolve. It is 
our intention to transfer PO approval to the 
management accountant as soon as practical. 


The management accountant has already 
started to review and update all of the policies 
and procedures around this issue and the new 
finance system. 


This review will take some time given that the 
Management Accountant and Head of Finance 
are both new to the organisation. However, we 
are committed to a thorough review of all 
policies and procedures including the process 
for purchase order approval. 


Date Effective: 31 December 2016 


Owner: Sally Hanson 
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1 Executive summary 
2. Detailed Findings 
Appendices 


Income recognition 


Registration of customer accounts 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


During testing we noted that when cheques are received, the 
Registration team will update the customer account within 
ICE to recognise payment of the fee. However this does not 
take into account the fact that a cheque may bounce or may 
be falsified and so cannot be banked. With this, there is a 
risk that customer accounts may not accurately reflect the 
actual cash received by the ICO. 


We noted that customers will be issued with a certificate of 
registration before income is recognised in the bank 
account. This is also the case for credit card reports. The 
report used to update the ICE system is the transaction 
report, rather than the money actually collected. Although a 
second report is also automatically generated which details 
money collected and this is used to discover discrepancies 
between money received and anticipated transactions, there 
is a risk that customer accounts may not accurately reconcile 
with the actual cash received by the ICO and customers may 
be issued with registration certificates before funds have 
cleared. 


We recommend that the Registration team 
explore the option of updating the ICE records 
based on actual cash banked, rather than the 
receipt of cheques in order for customer records 
to accurately show payments. This would also 
address the risk that certificates are issued 
before payment is confirmed as received. 


Whilst the logic of the recommended approach 
is recognised, in practice it would result in an 
extra step in the registration process for both the 
Finance and Registration Teams for all 
registrations. It would also delay the vast 
majority of registrations where payment goes 
through properly by up to a couple of weeks. It is 
therefore the view of the ICO that the benefits of 
ensuring 100% of registrations are properly 
made would be far outweighed by the additional 
cost to the ICO in administering the process and 
the built in delay for the vast majority of 
registrations. 


No further action necessary. 
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a Executive summary 


2. Detailed Findings 


Appendices 


| Allocation of BACS funds 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


During discussions with Finance we noted that, while the 
ICO explicitly states that BACS transfers are not accepted 
as a means of payment of data protection fee income due to 
difficulties in allocating the fees, around 3-4% of total fee 
income for the year is still received by BACS. Once this 
arrives in the ICO bank account, unless there is a reference 
with a customer registration number, it cannot be allocated 
to an ICE customer account. 


We noted during testing that Finance will journal all monies 
received via BACS transfer and will allocate these as far as 
possible; however there will still be some which are not 
allocated. We also noted that customers occasionally pay 
into the wrong ICO bank account, which then requires a 
reallocation via the daily bank reconciliation. 


There is a risk that customer records are not updated, 
despite payment being received leading to inaccurate 
customer records. We also noted that despite Finance's best 
efforts, much cash will remain in the reconciliation 
spreadsheet as “unallocated to a customer”. While this 
income is allocated in management account data as data 
protection fee income, it does not get allocated to a 
customer account. 


We also noted that there is an odd value of unallocated cash 
which has been recognised as data protection fee income. 
As fees charged are either £35 or £500, it is not correct to 
assume that all BACS income is data protection fees. Using 
information accurate to the dates we were on site, 
£32,149.88 remained unreconciled for this financial year, the 
majority of this within December 2015 (£18,290.00). Since 
this total cannot be a multiple of the round sums involved, it 
would imply that a mistake has been made. 


We recommend that management reiterate the 
ICO's position on not accepting BACS transfers 
in order to reduce the manual workload of the 
Finance team. 


We also recommend that management review 
how the current process for allocating BACS 
receipts to a customer account on ICE can be 
improved to reflect the cash received via BACS 
to customer accounts. 


Management should also consider how they can 
report on fee income which arrives by BACS 
transfer to ensure that an accurate figure is 
reported. 


The ICO’s stated policy is that BACs payments 
are not accepted. However, there are cases 
where data controllers cannot make payments 
by any other means, and where a data controller 
demonstrates that this is the case such 
payments are accepted. In addition the ICO 
cannot actually stop BACs payments being 
made except by changing its bank account. The 
ICO therefore considers it is doing all it 
reasonably can to limit BACs payments being 
made. 


It is worth adding that the unallocated funds are 
not all registration fees because other income 
can be paid into the account in error, such as 
conference fees. This arises because some 
customers have this account established within 
their own finance systems and do not always 
check that funds are being sent to the right 
account as per the invoice. Such sums are 
normally relatively easy to identify and are 
moved to the right account leaving the remaining 
much smaller balances to be treated as fees. 


The ICO does accept the need to ensure that 
these balances are reconciled and cleared 
down, and we will do this as part of our year end 
processes. We will also review the process with 
the Registration department to resolve the issue 
of unallocated fee income. 


Date Effective: 31* May 2016 


Owner: Sally Hanson 
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1 Executive summary 
2. Detailed Findings 
Appendices 


5. Use of cash accounting for recognising income 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


At present, the ICO does not account for income on a 
deferred or accrued basis; instead DP Fees are accounted 
for on a cash accounting basis which is inconsistent with its 
income recognition policy. 


As Data Protection laws are currently being reviewed and 
revisions will be phased in over the next two years, there 
may be an increase in the number of registrations and there 
is a risk that the ICO’s Data Protection fee income may be 
incorrectly reported if it experiences a major increase in Data 
Controllers in a single year. 


The ICO should report its Data Protection 
income applying the accruals basis to comply 
with its accounting policies. 


A registration only becomes valid when a fee 
has actually been paid; at which point the 
anniversary of the original registration becomes 
the renewal date as opposed to it being the 
payment date. This suggests that income 
recognition should be based on the payment 
date as the ICO could never forecast who may 
pay and when, and we could not back date the 
income recognised. 


If the ICO did follow an accruals basis we could 
never account for the registrations we had not 
received and were yet to accrue at year end as, 
per the above point. 


And we suspect, given the rate in which the 
register increases (including new and drop off) 
that any difference in income recognition year on 
year from deferred income would net off to an 
immaterial amount. Given the level of work that 
would be required to bring this into the accounts, 
the ICO does not intend changing its processes. 


No further action necessary. 
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1 Executive summary 


2. Detailed Findings 


Appendices 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Data Controllers can choose to pay by card using an online 
payment system on the ICO website. Barclaycard is the 
system used by ICO to process card payments and on a 
daily basis, a report is generated which can then be 
automatically fed into ICE to update customer records to 
denote payment. 


There is then a second report run by Barclaycard which 
details the payments which have been processed, but not 
yet received, such as a foreign card payment. We noted that 
this report does not automatically feed into ICE. Instead, 
Finance performs a manual reconciliation to keep track of 
expected payments into account. Whilst we found no issues 
with this process, it would be more efficient if this secondary 
report could be automatically uploaded into ICE. 


We recommend that management investigate 
the possibility of establishing an automatic link 
between the Barclaycard system and ICE to 
reduce the need for manual reconciliation. 


It is agreed that the ICO will investigate the 
possibility of establishing an automatic link 
between the Barclaycard system and ICO. 


Date Effective: 31 May 2016 


Owner: Andrew Jarvis 
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2.3 Segregation of duties 


a Executive summary 


2. Detailed Findings 


Appendices 


The User access rights 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


We tested the process in place for paying invoices and were 
made aware that, at the time of our audit, a member of the 
Finance team currently prepares the payment run. This 
member of staff also has access to amend supplier details 
on the system. 


We were informed that the intention is to change this when a 
new management accountant is recruited and starts work in 
January 2016. 


Furthermore, during discussion with the Head of Finance, 
we were made aware of a significant piece of work which 
was undertaken to identify appropriate access rights for all 
users to the Great Plains system. However all four members 
of the Finance team have ‘super user’ access which enables 
them to amend user profiles, alter supplier details and raise 
purchases. 


The current access rights structure enables staff in the 
Finance function to have potential access to the entire 
processing of purchases without segregation, which exposes 
the ICO to a heightened risk of misappropriation from an 
individual. We would expect to see clear segregation of 
duties to prevent a single member of staff having the 
functionality to undertake the full purchase process. Further, 
we would normally expect super-user rights to be held by 
individuals who are independent of the Finance team and lie 
elsewhere, usually within IT or a similar function. 


We recommend that the ICO fully investigate the 
access rights within MS Great Plains to fully 
understand what capabilities the super users 
have. 


We recommend that these super user rights are 
removed from Finance staff and allocated to 
appropriate individuals from outside of the 
Finance team. 


Further, a review of access rights amongst the 
Finance team should be undertaken to 
implement appropriate segregation of duties that 
prevent individuals from undertaking entire 
processing without the involvement of a second 
person. Super user access should also be 
logged and monitored regularly to track what 
has been done. 


We agree there is a need to review this. At the 
time of writing there is a support and training 
issue for the systems administration which is 
causing operational difficulties and requires the 
Lead Finance Officer to keep super user access 
status until we address the lack of training. This 
is being treated as a priority. 


Date Effective: 30"" June 2016 


Owner: Sally Hanson 
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1 Executive summary 


2. Detailed Findings 


Appendices 


8. | Medium | Bank detail changes 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


A check of bank details takes place on a weekly basis before 
each payment run. We noted that once the payment run has 
been generated, the BACS file is generated and then saved 
by the same member of the Finance team onto a secure 
drive within Finance. 


Once it is saved here, another member of the team checks 
the bank details to confirm that they are correct. This second 
member of the Finance team can amend bank details as 
part of their check. The check is done informally and not 
signed off. Once the check has been done, the second 
member of the Finance team will let the first member of staff 
know that it is ready to be uploaded into Bankline for 
processing. 


There is a risk that the member of staff can amend the 
BACS file, including bank details, before upload onto 
Bankline. 


The BACS payment run file should be locked 
down once it has been generated so that bank 
details or payment values cannot be changed. If 
changes are needed following the review, these 
should be processed in Great Plans and a new 
BACS payment run file should be created, which 
is subject to the same review and checks as the 
initial file. 


We also recommend that a more formal check of 
bank details is recorded, creating an audit trail 
which can be used to track errors 


Agreed. Lock down of the BACs payment run file 
was implemented in January 2016. 


A process to put in place more formal checks of 
bank details will be put in place. 


Date Effective: 30th June 2016 


Owner: Sally Hanson 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the 
Auditing Practices Board’s ‘Guidance for Internal Auditors’. We also had 
regard to the Institute of Internal Auditors’ guidance on risk based 
internal auditing (2005). In addition, we comply in all material respects 
with other Government guidance applicable to Public Bodies and have 
had regard to the HM Treasury guidelines on effective risk management 
(the “Orange Book’). 


As part of the 2015-16 Internal Audit Plan, we have agreed with 
management and the Audit Committee to undertake a review of key 
controls over the ICO’s finance arrangements, to further inform our on- 
going understanding of the ICO’s key internal control activities. 


Our aim in completing this audit was to ensure that the ICO has 
appropriate arrangements in place to identify, manage and report on risk. 
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1. Executive summary 
2. Detailed Findings 


Appendices 


We achieved our audit objectives by: 


e meeting with key staff to gain an understanding of the arrangements 
in place to perform key finance activities; 

e identifying the key risks to these arrangements and evaluating the 
management controls that mitigate these risks; and 

e reviewing key documents that support the above processes. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Responsibilities 

The Information Commissioner acts through his Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 


HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
achieving its strategic objectives. The Board should therefore maintain 
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sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 


Our review involved an assessment of the following risks: 


Purchase ledger 

e The processing of purchase invoices may be inadequate resulting in 
the failure to identify errors in invoice details, coding and amounts or 
the payment of invoices that are inaccurately priced or are duplicates 
of existing invoices. 

e The matching of purchase invoices to approved purchase orders and 
goods receipts records may be inadequate resulting in the inaccurate 
reporting of accruals and the payment of suppliers for goods and 
services that have not been ordered or received, or have been returned 
leading to financial loss, or the processing of duplicate payments 

e Approval of invoices for payment may be inadequate resulting in the 
breach of delegated authorities and financial loss to the company. 

e The approval of payments may not be made in accordance with the 
delegated authorities of approval resulting in breaches of company 
policy and potential financial loss 

Income recognition 

e The processing of receipts for Data Protection fees from all sources 
may not be robustly controlled resulting in inaccurate allocation of 
fees to clients' accounts and inaccurate reporting of income 

e Income processed through the Great Plains system may not be 
reconciled to the ICE customer management system resulting in a 
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failure to produce accurate income data for reporting and decision 
making 

Segregation of duties 

e Appropriate segregation may not be in place across key financial 
activities (specifically between the originator of purchase orders and 
those authorising the invoice for payment and the processing of 
receipts from fee-payers) resulting in the potential for 
misappropriation not being detected or prevented 


e The ICO may not tailor access rights on its finance system to the 
requirements of individual’s roles resulting in unauthorised 
amendments to customer and supplier data, amendments being made 
in error or inappropriately leading to inaccurate management 
information and/or potential financial loss. 


Additional information 


Client staff 
The following staff were consulted as part of this review: 


e Heather Dove — Head of Finance 

e Sandrine Leostic — Senior Finance Officer 

e David Pulo — Finance Officer 

e Natalie Bray — Finance Officer 

e Traci Shirley — Team Manager, Customer Contact (Registration) 
e Helen Adshead — Line Manager, Customer Contact (Registration) 


Documents received 
The following documents were received during the course of this audit: 


e List of non PO-able items (see above comments on 2.1) 
e Delegated Listing of Authority 

e User rights testing spreadsheet 

e Batch signing sheet 
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e Screenshot of DP Fee income documents 
e BACS reconciliation file 

e Credit card reconciliation file 

e Registration process documentation 

e ICE Cheque Batch Report 

e Renewals Post Batch Header 

e Batch Book excerpts 


Locations 


We visited The Information Commissioner's Office, Wilmslow for this 
review. 
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2: Detailed Findings 


Appendices 


B Definition of overall assessment internal audit ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Rating Description Features 


Key control not designed or operating effectively 
Potential for fraud identified 

Non compliance with key procedures / standards 
Non compliance with regulation 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


e — Impact is contained within the department and compensating 
controls would detect errors 

e Possibility for fraud exists 

e Control failures identified but not in key controls 

e Non compliance with procedures / standards (but not resulting in key 
control failure) 


Important findings that are to be resolved by line management. 


e Minor control weakness 


| Findings that identify non-compliance with established procedures. e Minor non compliance with procedures / standards 


e Information for department management 
e Control operating but not necessarily in accordance with best 
practice 


Items requiring no action but which may be of interest to management or 
best practice advice 
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